1. Field of the Invention
The present invention relates in general to security (authentication) features in the wireless communications field and, specifically, to a system and method for providing GSM-like and UMTS-like authentication in a CDMA2000 network environment. In one embodiment, the present invention relates to a system and method for using UMTS-like authentication to enable WLAN-CDMA2000 network interworking.
2. Description of Related Art
The following abbreviations are herewith defined, at least some of which are referred to in the ensuing description of the prior art and the preferred embodiments of the present invention.    3GPP Third Generation Partnership    3GPP2 Third Generation Partnership Project 2    AAA Authentication, Authorization and Accounting    AC Authentication Centre (CDMA2000)    AP Access Point    AK Anonymity Key    AKA Authentication and Key Agreement    AuC Authentication Centre (GSM/UMTS)    CDMA2000 Code Division Mode Access 2000    CHAP Challenge Authentication Protocol    CAVE Cellular Authentication and Voice Encryption    EAP Extensible Authentication Protocol    EAPOL EAP Over LAN    EMSK Extended MSK    EWAS Ericsson WLAN Authentication Server    FA Foreign Agent    GSM Global System for Mobile Communications    GSMA GSM Association    HLR Home Location Register    HRPD High Rate Packet Data    IE Intermediate Entity    IMSI International Mobile Subscriber Identity    LAN Local Area Network    MAC Message Authentication Code    MSK Master Session Key    NAI Network Access Identifier    PAP Password Authentication Protocol    PPP Point-to-Point Protocol    RADIUS Remote Authentication Dial In User Service    RUIM Removable UIM    SIM Subscriber Identity Module    SSD Shared Secret Data    TEK Transient EAP Key    UIM User Identity Module    UMTS Universal Mobile Telecommunications System    USIM UMTS SIM    WCDMA Wideband Code Division Mode Access    WLAN Wireless LAN
Referring to FIG. 1 (PRIOR ART), there is a flow diagram used to help describe in a high level the GSM AKA method. GSM AKA is based on a 128-bit secret key, Ki, which in a user side 100 is stored in a Subscriber Identity Module (SIM) 102. In a network side 104, the Ki is stored in an Authentication Centre (AuC) 106. The AuC 106 uses the Ki to derive authentication vectors known as triplets (see box 1.1). Each triplet is composed of:                RAND: 128-bit random number, to be used as a challenge.        Kc: 64-bit long key, intended to be used as an encryption key over the air interface.        SRES: 32-bit response to the challenge.The values of Kc and SRES depend on RAND. Thus, each triplet (RAND, Kc and SRES) that is generated by the AuC 106 is going to be different from other triplets.        
Once the network side 104 has a triplet available, it challenges the user side 100 with the RAND value from the triplet (see signal 108). The SIM 102 generates Kc and SRES using the received RAND and the internally stored Ki (see box 1.2). The user side 100 then sends a response SRES to the network side 104 (see signal 110). The network side 104 then checks the correctness of the response SRES (see box 1.3). If the received SRES is correct, then the network side 104 grants access to the user side 100.
At the end of this procedure, the network side 104 has assurance that the user side 100 is the claimed one, and that the Kc is available at both the user side 100 and the network side 104, but not to anyone who might have been listening to the communication channel. For a more detailed discussion about GSM AKA, reference is made to the following document:                3GPP TS 43.020 v.5.0.0 “Security Related Network Functions (Release 5)”, July 2002.The contents of this document are incorporated by reference herein.        
Referring to FIG. 2 (PRIOR ART), there is a flow diagram used to help describe in a high level the UMTS AKA method. The UMTS AKA method is similar to the GSM AKA method, but the UMTS AKA has some extras:                The user side 200 is assured that the network side 204 is the claimed one.        An additional key is derived and used to ensure integrity protection over the air interface.        Longer keys and response values are used for increased security.        
As in GSM AKA, there is a 128-bit secret key, K, which in the user side 200 is stored in a UMTS Subscriber Identity Module (USIM) 202. In the network side 204, the secret key K is stored in an Authentication Centre (AuC) 206. The AuC 206 uses this secret key K to derive authentication vectors known as quintets (see box 2.1). Each quintet is composed of:                RAND: 128-bit random number, to be used as a challenge.        XRES: 32-bit to 128-bit response to the challenge.        CK: 128-bit long key, to be used as a cipher key over the air interface.        IK: 128-bit long key, to be used as an integrity key over the air interface.        AUTN: 128-bit value, used for network authentication.        
As shown in FIG. 2, once the network side 204 has a quintet available, it challenges the user side 200 with the RAND and AUTN values from the quintet (see signal 208). The USIM 202 checks that the AUTN is correct, and then it generates RES, CK and IK, using the received RAND and the internally stored K (see box 2.2). The user side 200 then sends a response RES to the network side 204 (see signal 210). The network side 204 then checks the correctness of the response RES (see box 2.3). If the received RES is correct, then the network side 204 grants access to the user side 200.
At the end of this procedure, both the user side 200 and the network side 204 know that mutual authentication has been achieved. And, both the user side 200 and the network side 204 have access to the CK, IK which are not available to anyone who might be listening to the communication channel.
Referring in particular to the AUTN, the most relevant characteristic of the AUTN value is that it includes a sequence number, SQN, and a message authentication code (MAC). The SQN has a different and predictable value for each authentication attempt. In addition, the SQN needs to be kept synchronized between both sides 200 and 204, because both sides 200 and 204 need to keep track of the SQN value. And, the user side 200 has to check the correctness of the SQN value.
The SQN ensures that each AUTN value is different and therefore it protects against replay attacks. In a replay attack, an attacker eavesdrops a correct challenge which contains the RAND and AUTN. Then, the attacker impersonates the network side 204 using that same challenge. The SQN protects against this, since it ensures that the AUTN is different, even for the same RAND. In other words, the user side 200 would not accept a re-used AUTN.
The MAC has the following properties:                Its value depends on SQN.        Knowledge of K is needed in order to generate the MAC.        
Thus, upon the reception of AUTN, the user side 200 checks that SQN is correct (i.e. it is not re-used). Then it generates a MAC value using SQN and K, and this MAC is checked to make sure it matches the MAC received in the AUTN, which implies that:                The network side 204 generated the MAC, since only the network side 204 has knowledge of K (apart of the user side 200).        The received SQN is the one originally sent by the network side 204.        
For a more detailed discussion about UMTS AKA, reference is made to the following document:                3GPP TS 33.102 v.6.0.0 “Security Architecture (Release 6)”, September 2003.The contents of this document are incorporated by reference herein.        
Referring to FIGS. 3 and 4 (PRIOR ART), there are shown two flow diagrams that are used to help describe in a high level GSM-like (e.g., EAP SIM) and UMTS-like (e.g., EAP AKA) authentication methods. EAP SIM and EAP AKA are EAP methods that take advantage of a GSM or UMTS infrastructure in order to perform authentication in a similar way as GSM AKA and UMTS AKA but for different access networks in which the utilization of an EAP method is more appropriate.
EAP is an authentication framework that supports multiple authentication mechanisms and can be used on dedicated links, switched circuits, and wired as well as wireless links. For example, EAP can be used to perform the authentication in WLAN access networks in which the access control is based on 802.1X. For a more detailed discussion on how EAP can be used in a WLAN access network, reference is made to the following document:                IEEE Std. 802.1X-2001 “Port-Based Access Control”, June 2001.The contents of this document are incorporated by reference herein.        
It should be appreciated that the IEEE Std. 802.1X-2001 does not mandate the utilization of any specific EAP method and, therefore, in principle any EAP method could be used.
On the other hand, 3GPP is working on specifications for the interworking of WLAN access networks and 3GPP networks. For more details about this, reference is made to the following document the contents of which are incorporated by reference herein:                3GPP TS 33.234 v.0.6.0 “Wireless Local Area Network (WLAN) Interworking Security”, September 2003 (Work in progress).        
In this document, the authentication is done with EAP SIM (for GSM subscribers) and with EAP AKA (for UMTS subscribers). EAP AKA is discussed below first and as will be appreciated it is basically UMTS AKA adapted for use as an EAP method. The basic authentication process for EAP AKA is depicted in the signal flow diagram of FIG. 3 (PRIOR ART).
As shown in FIG. 3 (PRIOR ART), once an authenticator 300 (i.e. network side 300) has obtained the identity of a peer 302 (i.e. user side 302) (see signals 304 and 306), the authenticator 300 retrieves an UMTS authentication vector from the AuC 314 and sends a challenge to the peer 302 which includes RAND and AUTN as in UMTS AKA (see box 3.1 and signal 308). Additionally, a MAC is sent to the peer 302 in order to protect the integrity of the whole challenge message (see signal 308).
The peer 302 then responds with a RES (as in UMTS AKA) and a MAC to ensure the integrity protection of the response message (see box 3.2 and signal 310). The authenticator 300 checks that the received RES and MAC are correct (see box 3.3). And, if they are correct, then it sends a success message to the peer 302 (see signal 312). As in UMTS AKA, the authenticator 300 generates an UMTS quintet in an AuC 314. And, the peer 300 has a USIM 316 that checks the AUTN and calculates the RES.
Referring now to FIG. 4 (PRIOR ART), there is shown a flow diagram that is used to help describe in a high level the EAP SIM authentication method. EAP SIM is basically GSM AKA adapted for use as an EAP method, but it also includes additional features to overcome some of the limitations of GSM AKA:                Several GSM triplets are used for one single authentication process, so that the resulting response and derived keys are longer.        Mutual authentication is provided.        
As can be seen in the flow chart, the authenticator 400 (i.e. network side 400) obtains the identity of the peer 402 (i.e. user side 402) (see signals 404 and 406). Then, the authenticator 400 sends the peer 402 a message indicating the version(s) of protocol that are supported (only one version is defined to date) (see signal 408). The peer 402 responds with the selected version and a nonce value (see signal 410).
The authenticator 400 then retrieves several GSM triplets from the AuC 418 and sends a challenge that includes several RAND challenges taken from several GSM triplets and a MAC (see box 4.1 and signal 412). The peer 402 checks this MAC for network authentication (see box 4.2). It should be noted that protection against replay attacks is achieved because the peer 402 sent the nonce to the authenticator 400 which used it to generate the keys that in turn were used to produce the MAC.
At this point, the peer 402 extracts several GSM RAND values from the AT_RAND parameter and generates the corresponding SRES values (see box 4.2). Then, the peer 402 sends the authenticator 400 a MAC that covers the SRES values (see signal 414). The authenticator 400 checks that the received MAC is correct and if it is correct then a success message is sent to the peer 402 (see box 4.3 and signal 416). Similar to GSM AKA, the authenticator 400 generates several GSM triplets in an AuC 418. And, the peer 402 has a SIM 420 that calculates the SRES.
For a more detailed discussion about EAP, EAP SIM and EAP AKA, reference is made to the following documents:                H. Haverinen et al. “Extensible Authentication Protocol Method for GSM Subscriber Identity Modules (EAP-SIM)” draft-haverinen-pppext-eap-sim-16.txt, Dec. 21, 2004.        J. Arkko et al. “Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA)” draft-arkko-pppext-eap-aka-15.txt. Dec. 21, 2004.        IETF draft-arkko-pppext-EAP AKA-11 “EAP AKA Authentication”, October 2003 (Work in progress).        IETF RFC 2284 “PPP Extensible Authentication Protocol (EAP)”, March 1998.The contents of these documents are incorporated by reference herein.        
A discussion is provided next about the authentication process in CDMA2000 networks. Currently, CDMA2000 networks support a number of authentication mechanisms at two different levels. The first level is the radio access level which has two different types of access technologies, known as 1x and HRPD (or data only).                The 1x type of access technology has two authentication mechanisms:                    1) A legacy method, known as CAVE, which is based on shared secret keys. CAVE is the only solution deployed today. This mechanism is based on a root key (A-Key) and a shared secret data (SSD) derived from the root key, which is used to authenticate the mobile station.            2) The CDMA2000 standard also defines an enhanced authentication and encryption algorithm (AKA). However, this method is not deployed in CDMA2000 networks today. Like CAVE, this method is based on a root key known only by the authentication centre (network side) and the mobile station (user side).                        The HRPD access is an authentication process that is performed using “CHAP over PPP” and a key known only by the mobile station (user side) and the AAA (network side). The key is known as the MN-AAA key.        
Once the mobile station (user side) is authenticated at the radio access level, it is allowed to setup a packet data session. Then, a second authentication takes place at the user level which has three different authentication mechanisms. Each of these authentication mechanisms could be used independently of the radio access type and they are: (1) PPP CHAP; (2) PAP; and (3) Mobile IP FA challenge. Except for PAP, the PPP CHAP and Mobile IP FA challenge require a key known only to the mobile station and the authentication centre (AAA). This key is known as the MN-AAA key. It should be appreciated that all of the aforementioned CDMA2000 keys are stored in an UIM or Removable UIM inside the mobile station.
A discussion is provided next about some of the problems with the existing solutions. Currently, GSM-like and UMTS-like authentication (such as in EAP SIM and EAP AKA) can only be used in networks that have a GSM or UMTS infrastructure. However, there are other scenarios where utilization of these authentication methods would be advantageous.
For example, 3GPP2 is working on specifications for the interworking of WLAN access networks and CDMA2000 networks. The authentication mechanisms have not been selected yet, but some basic requirements have been identified:                In order to inter-work with 802.1X based WLAN Access Networks, authentication is to be accomplished preferably by means of an EAP method.        The chosen EAP method should be one of the already available methods provided by IETF.        Preferably, mutual authentication is to be provided.        
From the perspective of a worldwide technology provider, the ideal situation would be that the same authentication methods could be used in GSM/UMTS networks and in CDMA2000 networks, so that one single product can be deployed in both markets with as few adaptations as possible. In this sense, EAP SIM and EAP AKA have already been defined as the authentication methods to be used in 3GPP networks (i.e. for GSM and UMTS operators). Moreover, both EAP SIM and EAP AKA fulfill the three basic requirements stated above in order to be acceptable authentication methods for WLAN-CDMA2000 interworking.
However, as explained above EAP SIM and EAP AKA make use of GSM/UMTS infrastructure. That is:                On the network side, the AuC generates authentication vectors (i.e. GSM triplets or UMTS quintets).        On the user side, the secret key is stored in the (U)SIM, which also performs some required calculations (i.e. check AUTN in case of EAP AKA, and calculate responses needed for both EAP SIM and EAP AKA).        
Therefore, with the current state of the art, EAP SIM and EAP AKA cannot be used in CDMA2000 networks, due to the lack of a suitable infrastructure both in the network side and the user side. This problem is solved by the present invention.